Honeynet Project
Scan of the Month Challenge (Scan 27)
By Skeets Norquist
4/34/03
Introduction
I have just recently learned of the Honeynet Project and this is my first
attempt at a Scan of the Month Challenge.
1. What is IRC?
A quick search on www.rfc-editor.org yields several RFC's detailing IRC which
stands for Internet Relay Chat. IRC is an internet protocol allows users to
send instant text messages to each other. IRC uses a client/server
architecture -- a client connects to a single IRC server which can then
forward messages on to other clients or other IRC servers. Messages can be
sent to a single user or broadcast to various groups of users. Additionally,
users can create and manage "channels" which are clusters of users who all
receive each others messages.
2. What message is sent by an IRC client when it asks to join an IRC network?
This is accomplished by the JOIN message. RFC2812 describes the syntax as:
Command: JOIN
Parameters: ( *( "," ) [ *( "," ) ] )
/ "0"
The client can supply a list of channels to join and an optional list of keys
(passwords).
3. What is a botnet?
A Google search on "What is a botnet?" returns this informative webpage
http://zine.dal.net/previousissues/issue19/botnet.php. This page describes a
botnet as a collection of fake IRC users created by trojan programs that have
spread throughout the internet. These Trojans are programmed to connect to
IRC networks, join a pre-determined channel, and then wait for their creator
to issue them commands through this same IRC channel.
4. What are botnets commonly used for?
The previously referenced web page describes the damage botnets can do:
attempt to create more bots by spamming other IRC channels with the address of
a trojanned web page, maliciously flood other IRC channels, glean
nickname/password information from infected IRC users, or launch Denial of
Service attacks. These Denial of Service attacks can be especially
devastating as they are of the distributed variety, since the botnets consist
of numerous bots spread throughout the Internet.
5. What TCP ports does IRC generally use?
A little Googling for "IRC" brought up a good IRC FAQ page
(http://www.irchelp.org/irchelp/altircfaq.html) that says that the most
commonly used TCP port used for IRC is 6667.
6. What is a binary log file and how is one created?
A binary log file contains the data captured from a network interface using a
tool like tcpdump or Snort. You can analyze this data to see what sort of
network traffic a host has.
7. What IRC servers did the honeypot, which has the IP address 172.16.134.191,
communicate with?
I used Ethereal to analyze the honeypot log file. I filtered the packets to
those where the IP source address was the address of the honeypot
(1.7.16.134.191) and the TCP port indicated IRC traffic (port 6667). My
filter looked like this:
tcp.port == 6667 and ip.src == 172.16.134.191
Then I sorted the listing by destination IP address and saw that there were
these unique hosts:
66.33.65.58
63.241.174.144
217.199.175.10
209.196.44.172
209.126.161.29
8. During the observation period, how many distinct hosts accessed the botnet
associated with the server having IP address 209.196.44.172?
First I tried this filter in Ethereal:
tcp.port == 6667 and ip.dst == 209.196.44.172 and irc
But this only showed where the honeypot was talking to 209.196.44.172. What I
really wanted to know is where 209.196.44.172 was talking to other hosts in
the botnet. So I modified my filter:
tcp.port == 6667 and ip.src == 209.196.44.172 and irc
At first I thought this was a failure since the IP destination field in this
list was just the address of the honeypot. Well duh, of course it is -- the
log only captures data sent to and from the honeypot, not between third party
hosts.
But closer inspection of these packets showed that they indeed had the data I
was looking for: They contained IRC messages about bots (and their associated
hosts) entering and leaving the botnet. So I opened up the filter a little
bit to show both traffic sent from the honeypot to 209.196.44.172 and traffic
from 209.196.44.172 to the honeypot (so I could see both sides of the
conversation):
tcp.port == 6667 and ip.addr == 209.196.44.172 and irc
I saved this data to a new file so that I had all my IRC traffic of interest
in one place. At this point I could probably glean the host addresses from
these IRC messages using a combination of tcpdump and perl. Printing out data
that matched the regular expression "@[^ ]* " (an at symbol followed by any
number of non-spaces followed by a space) would do it. Then I could use the
Unix "sort" and "unique" commands to generate a list of unique hosts. The
last step would be to count the list with "wc".
Unfortunately all I have at my disposal right now is a Windows box and so I
don't have the necessary tools. However the number of hosts accessing
209.196.44.172 must be less than 9796, which is the number of IRC packets sent
between the honeypot and 209.196.44.172.
9. Assuming that each botnet host has a 56 kbps network link, what is the
aggregate bandwidth of the botnet?
Using my number above, it must be less than
9796 x 56 kbps = 548576 kbps = 535 Mbps
Conclusion
This was an interesting and enjoyable challenge. I now have a much firmer
handle on IRC and network traffic in general. This was my first time using a
tool like Ethereal and I can see it's usefulness. I'm hoping to set up a
Linux box and dig into other tools as well such as tcpdump and snort.